Computer Crime Research Center

Business counts the cost of cyber crime

From industrial espionage to online theft, corporations are struggling to deal with the growing menace of cyber attacks

France's finance ministry revealed this week it had become the latest state department to be hit by a cyber attack, forcing it to shut down its systems as hackers targeted documents related to the G20 summit in Paris.

This comes just weeks after UK foreign minister William Hague said the UK had come under attack from a hostile state's intelligence agency and an official report warned that cyber crime costs the UK Government about £2.2bn a year. The report released by the Office of Cyber Security and Information Assurance (OCSIA) found the cost to British business was even more severe at over £20bn a year.

Despite increasing publicity around the attacks, businesses are not doing enough to prevent such attacks, according to a report released yesterday. Ovum analyst Graham Titterington said cyber espionage was a "growing threat to business viability", adding: "Cyber criminals are graduating from stealing credit cards and banking credentials to targeting corporate plans and proprietary information. They want valuable information such as product and technology blueprints, customer lists, or information that can be used to embarrass or disadvantage a victim."

The OCSIA report, compiled by Detica and released last month, estimated that cyber crime costs UK businesses £9.2bn in theft of intellectual property, including designs, trade secrets and methodology.

A further £7.6bn comes from industrial espionage, involving the theft and exploitation of non IP data and £2.2bn from extortion. Direct online theft from financial services and construction makes up £1.3bn and a further £1bn comes from the loss or theft of customer data. The report said: "The results of this study suggest that businesses of all sectors need to look again at their defences to determine whether their information is indeed well protected." Some have questioned the numbers, saying that organisations do not like to broadcast if their systems have been breached – and when it does happen, it's often difficult to quantify the impact.

Yet, the Cabinet Office said, with over 60 companies all looking to sell cyber security products and releasing their own numbers, the report compiled for the OCSIA by Detica gave the "best estimate" of the extent of the cost of cyber crime across the UK. There is certainly no argument over the seriousness of the issue, with many of the problems coming from within companies themselves.

Edward Hamilton, head of information security and assurance at Analysys Mason, said: "Most security breaches happen because of employees – like leaving a laptop on a train – and a lot of cyber security is trying to minimise the threats of people being stupid. The easiest way to get information from an organisation is to bribe an employee.

"Then there is cyber crime run by highly skilled, intelligent people. It is a totally different level of threat."

This includes cyber espionage aimed at senior managers at an organisation who are sent "spear phishing" emails containing malicious links or attachments that affect their machines. Hackers can then identify assets and steal information.

"Most of these won't be detected. They are much more complicated to address and the threat level is significantly higher," he said. "Cyber criminals have greater access to sophisticated technology and they are attacking a more wired business world."

Ovum calls on businesses to raise their awareness of cyber attacks, restrict sensitive information, protect data held on outside sites, vet those who have access to sensitive information and carry out a risk analysis on mobile devices and removable media. Mr Titterington said: "Enterprises need to wake up to the danger posed or risk losing valuable information and having to deal with the consequences."

Jay Heiser, research vice president at Gartner, said: "The external cyber crime threat is increasing at a faster rate and the criminals are getting better at it. They have become increasingly professional." He added that it was not the biggest companies that would suffer. "Big oil companies, global financial firms and pharma all have a very mature approach to cyber crime. They see spending on systems as another cost of doing business.

"My concern is the medium-tier companies, as it's harder for them to make a business case."

The UK Government is aware of the importance of the issue and has taken a series of steps to help combat the problem. It announced a £650m investment in a new national cyber security programme as part of the Strategic Defence and Security Review in October. The OCSIA report called for a central reporting mechanism to allow businesses to report cyber crime and allow the Government to build up a more accurate picture of the level of attacks.

The state has also heeded the call to engage with the private sector over the issue. A Cabinet Office spokesman said Prime Minister David Cameron, Foreign Secretary William Hague and Security Minister Baroness Neville-Jones met recently with representatives from the telecoms, defence, finance, retail, energy, IT and pharma industries to discuss the growing importance of cyber security.

"The meeting called on industry to form a structural partnership with Government to share information about threats and vulnerabilities, as well as co-designing policies on cyber security for the benefit of the UK as a whole," he said.

Mr Heiser added: "Our infrastructure will not collapse from cyber crime. This is Spy vs Spy. A slow, steady increase in threat is being addressed in fits and starts by companies, who are slowly and steadily increasing their security."